×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access-list question

Unanswered Question
Mar 22nd, 2004
User Badges:

We have an issue with a device on a route receiving TCP resets whenever a connection is attempted. This route goes through a third party. We have removed all blocks on our part of the network. My question is, how do access-lists deal with denied packets. Do they direct the packet to Null0 and simply drop the packet or would an extended access-list denying on a TCP rule send a reset thereby closing the connection? My own feeling is that there may be a firewall rule in the way as the reset is at layer 4. Would apprecieate some clarification.

Thanks.


Steve.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
keith.campbell Mon, 03/22/2004 - 03:58
User Badges:

Denied packets are dropped by access lists (and logged if configured to do so).


Standard access lists just look at the addressing, extended access lists look at the TCP port etc.

to decide to pass through the list or to drop.


It sounds as if the TCP reset is coming from the remote end


best of luck

Harold Ritter Mon, 03/22/2004 - 04:50
User Badges:
  • Cisco Employee,

Additionally a packet being denied by tha ACL causes the router to send a ICMP message (code 3(destination unreachable ), subcode 13(Communication Administratively Prohibited) to the source of the packet).


Hope this helps,

rvf500 Mon, 03/22/2004 - 05:41
User Badges:

Thanks guys, yes that has helped us out. The ICMP returns helped us to look in the right direction to sort this.

k.siu Thu, 04/01/2004 - 19:01
User Badges:

Dear all

I add ACl at interface.But logging this message.

136.136.1.1 is a router interface.

Why source interface is router ip not is PC address.


%SEC-6-IPACCESSLOGDP: list 2302 denied icmp 136.136.1.1 -> 151.199.214.230 (3/13), 2 packets

%SEC-6-IPACCESSLOGDP: list 2302 denied icmp 136.136.1.1 -> 130.85.193.10 (3/13), 1 packet

%SEC-6-IPACCESSLOGDP: list 2302 denied icmp 136.136.1.1 -> 12.222.154.63 (3/13), 1 packet


Extended IP access list 2302

permit ip 136.136.1.0 0.0.0.255 136.136.0.0 0.0.255.255

deny ip 136.136.1.0 0.0.0.255 any log-input (20351 matches)

permit ip any any (48654 matches)


thank you

Actions

This Discussion